APT的线索、关联与样本集 - antiy. · PDF file壳 编译器 主要行为 ... Sample 2...
Transcript of APT的线索、关联与样本集 - antiy. · PDF file壳 编译器 主要行为 ... Sample 2...
APT
Contents
A B
C D
Hangover
4Unveiling an Indian Cyberattack InfrastrutureNorman
http://blogs.norman.com/2013/security-research/the-hangover-report
http://blogs.norman.com/2013/security-research/the-hangover-report
5HangOver hash
2012-08-10 0D46****** Sample 1
2012-10-21 734E****** Sample 2
2012-07-24 9A20****** Sample 3
2012-07-06 CE00****** Sample 4
2012-09-24 DE81****** Sample 5
2012-08-01 F37D****** Sample 6
6
Sample 1 Microsoft Visual Basic 5.0 / 6.0 VBScript,
zolipas.info.http://zolipas.info/advd
Sample 2 Microsoft Visual Studio .NET2005 -- 2008
RunC:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\slidebar.exe
http://linkspectra.com/k1.php
Sample 3 UPX 0.89.6 -1.02 / 1.05 -1.24
Dev-C++ 4.9.9.2 C:\ApplicationData\Prefetch\ log.txt
Sample 4 UPX 0.89.6 -1.02 / 1.05 -1.24
Microsoft Visual C++ 7.0 csetup32.dllsecureplanning.netURL
http://secureplanning.net/download/logo2.jpg
Sample 5 Microsoft Visual Studio .NET2005 -- 2008
c:\Documents and Settings\Administrator\Local Settings\Application Data\NTUSR\ntusr1.ini3log.txt
http://periodtable.eu/starx.php
Sample 6 Dev-C++ 4.9.9.2 C:\ApplicationData\ logFile.txt
7
8
9Sample1 Sample2 Sample3 Sample4 Sample5 Sample6
Trojan-Downloader.Win32.VB.bkrb
Trojan-Spy.
Win32.
KeyLogger.actw
Trojan-Spy.
Win32.
KeyLogger.absi
Trojan.Win32.
Agent.sryd
Trojan-
Spy.Win32.
KeyLogger.acqh
Trojan.Win32.
Agent2.fhog
McAfee
Norton Infostealer Trojan.ADH Trojan.Gen.2 Trojan.Gen
Trojan.Win32.Gen
eric.12DC27CD
Backdoor/Agen
t.doyw
TrojanSpy.KeyL
ogger.cwwy
Trojan/Agent.gn
xm
Trojan/Agent.gkpg
TR/Zoli.A TR/Agent.7432
8.1
TR/Agent.2126
5
TR/Spy.21504.3
51
WORM/Agent.
22813
TR/Offend.KD.532
260
TrojanDownloader:Win32/Adodb.A
TrojanSpy:Win
32/Keylogger.C
B
Trojan:Win32/
Sulunch
Trojan:Win32/Sulu
nch
BitDef
ender
Trojan.Generic.KDV.
735533
Trojan.Spy.Keyl
ogger.WY
Trojan.Generic.7642155
Gen:Trojan.Heu
r.RP.bmGfa05AQ
Rai
IRC-
Worm.Generic.
22813
Trojan.Generic.KD.
532260
10
mobileappworld.info
zolipas.info
ritownship.net
shopingcard.net
202.120.58.34
166.111.28.179
58.196.146.57
4
3IP
11
12URL
URL IP URL
2012/7/6 http://shopingcard.net/MBA/plugins/tray2.exe 202.120.58.34
2012/7/14 http://shopingcard.net/Narco/plugins/tray2.exe 202.120.58.34
2012/7/23 http://shopingcard.net/MBA/plugins/winservice.exe 202.120.58.34
2012/7/24 http://shopingcard.net/June/plugins/plugintray.exe 202.120.58.34
2012/7/24 http://shopingcard.net/June/plugins/tray2.ex 202.120.58.34 6
2012/7/25 http://shopingcard.net/June/plugins/winservice.exe 202.120.58.34 1
2012/8/1 http://shopingcard.net/June/plugins/winservice.exe 58.196.146.57 1
2012/8/10 http://mobileappworld.info/100712/latest07/update.exe 166.111.28.179
2012/9/24 http://zolipas.info/advd/first-time/winvnc.exe 202.120.58.34
2012/10/21 http://ritownship.net/cdata/slidebar.exe 202.120.58.34 31
14
2010
15
16
Malware Analysis Using Visualized Image Matrices
17
Pincav' (a) and `Zbot' (b).
Interactive, Visual-Aided Tools to Analyze Malware Behavior
18
19
Malware files clustering based on file geometry and visualization using R language
20
Visualization of Shared System Call Sequence Relationships in Large Malware Corpora
21
Malware Characterization using Behavioral Components
22
23
2007
24
2010
25
9
58
8
3
1
6
7
AVP
havex hangover iceFog Gauss Duqu Flame Stuxnet
HEUR:Trojan.Win32.Generic
Trojan.Win32.Agent
Trojan.Win32.Bublik
Trojan.Win32.Gertr
Trojan.Win32.Havex
Trojan.Win32.Sysmain.b
Trojan-Dropper.Win32.Daws.bqsi
Trojan-Dropper.Win32.Injector
Trojan-Spy.Win32.HavexOPC
26-
SSDEEP
IPURLIP
27
28
ver1
ver2 ver3
ver4
19 8 67 41
ver1
ver2
ver3
27 7 3
ver1
ver2 ver3
ver4
42 4224 81
ver1 ver2
1316
345
90 37
127
189
29
Method_A Method_B
Method_C
Method_D
Method_A+B
189
29hangover
26%
11%
55%
8%
hangover
Method_A Method_B Method_C Method_D
Microsoft Visual C++52%
Microsoft Visual Basic39%
Dev-C++1%
AutoIT36%
Borland Delphi2%
hangover
Microsoft Visual C++ Microsoft Visual Basic Dev-C++ AutoIT3 Borland Delphi
30Hangover
C&C
0day
32APT
0
200
400
600
800
1000
1200
1400
1600
1800
2000
havex hangover iceFog Gauss Duqu Flame Stuxnet
82
910
68148
38
151
1969
APT
33APT
PE
PE
34APTPE
35APTPE
36APT
64
83468 148 38 149 1944
18
760 0 0 2 25
HAVEX HANGOVER ICEFOG GAUSS DUQU FLAME STUXNET
APT
37APTPE
Flame Stuxnet Duqu IceFog
HngoverHavexs Gauss
38APTPE
0
200
400
600
800
1000
1200
1400
1600
1800
2000
2006 2007 2008 2009 2010 2011 2012 2013 2014
APTPE
Stuxnet
hangover
duqu
flame
gauss
havex
icefog
39APTC&C
40
FlameDuquStuxnet
Stuxnet
42Stuxnet 0.5Symantec
Stuxnet 0.5 How It Evolved Stuxnet 0.5 The Missing Link
43APT
4420042014APT
@